<html>
<head><meta charset="utf-8"><title>Memory safety bugs in Rust std · wg-secure-code · Zulip Chat Archive</title></head>
<h2>Stream: <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/index.html">wg-secure-code</a></h2>
<h3>Topic: <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/Memory.20safety.20bugs.20in.20Rust.20std.html">Memory safety bugs in Rust std</a></h3>

<hr>

<base href="https://rust-lang.zulipchat.com">

<head><link href="https://rust-lang.github.io/zulip_archive/style.css" rel="stylesheet"></head>

<a name="233744413"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/Memory%20safety%20bugs%20in%20Rust%20std/near/233744413" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Yechan Bae <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/Memory.20safety.20bugs.20in.20Rust.20std.html#233744413">(Apr 08 2021 at 23:08)</a>:</h4>
<ol>
<li>Right now, RustSec only tracks Rust std bugs that have CVE numbers assigned. Unfortunately, this makes memory safety bugs in the Rust standard library underrepresented than a bug in a toy crate on <a href="http://crates.io">crates.io</a>.</li>
<li>In the last attempt (<a href="https://github.com/rust-lang/rust/issues/561">#561</a>), we decided to request a CVE number before creating a RustSec advisory to be consistent with other std bugs. This seems to be much slower than I expected. I requested CVE number through MITRE form but haven't heard back anything for 3.5 weeks.</li>
<li>In comparison, id-map was reported to RustSec on April 2nd and got CVE numbers on April 7th, in 5 days. I don't know who it is, but some CVE authority seems to be monitoring RustSec bugs and filing CVEs for them.</li>
<li>Can we do the same thing for std bugs?</li>
</ol>
<p>Tracking issue: <a href="https://github.com/RustSec/advisory-db/issues/539">#539</a></p>



<hr><p>Last updated: Aug 07 2021 at 22:04 UTC</p>
</html>